Fixes Issue #6972: The zipfile module no longer overwrites files outside of

its destination path when extracting malicious zip files.

1 files changed, 12 insertions, 5 deletions

diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
index 9f6e077..54f9b4b 100644
--- a/Doc/library/zipfile.rst
+++ b/Doc/library/zipfile.rst
@@ -242,6 +242,16 @@ ZipFile Objects
    to extract to.  *member* can be a filename or a :class:`ZipInfo` object.
    *pwd* is the password used for encrypted files.
 
+   .. note::
+
+      If a member filename is an absolute path, a drive/UNC sharepoint and
+      leading (back)slashes will be stripped, e.g.: ``///foo/bar`` becomes
+      ``foo/bar`` on Unix, and ``С:\foo\bar`` becomes ``foo\bar`` on Windows.
+      And all ``".."`` components in a member filename will be removed, e.g.:
+      ``../../foo../../ba..r`` becomes ``foo../ba..r``.  On Windows illegal
+      characters (``:``, ``<``, ``>``, ``|``, ``"``, ``?``, and ``*``)
+      replaced by underscore (``_``).
+
 
 .. method:: ZipFile.extractall(path=None, members=None, pwd=None)
 
@@ -250,12 +260,9 @@ ZipFile Objects
    be a subset of the list returned by :meth:`namelist`.  *pwd* is the password
    used for encrypted files.
 
-   .. warning::
+   .. note::
 
-      Never extract archives from untrusted sources without prior inspection.
-      It is possible that files are created outside of *path*, e.g. members
-      that have absolute filenames starting with ``"/"`` or filenames with two
-      dots ``".."``.
+      See :meth:`extract` note.
 
 
 .. method:: ZipFile.printdir()